Investigating Failed Logons

Logon Activity
Copy Article URL Copied


You have encountered a situation where an account is getting locked out from multiple failed logons. Reports show that this account is in fact performing failed logons, however, the events from which Netwrix Auditor has parsed do not provide what is causing the logon events on the workstation.


There are several root causes for this scenario, but most commonly there are services or applications that are running via the locked out account. The stored credentials become expired and when the service or application attempts to authenticate via the account, it performs a failed logon.


If further investigation is need, the XML query below can be executed against the Security Event Logs of systems that you suspect the account to being performing failed logons.

In order to populate the Security Log with logon/logoff details, you will need to enable logon/logoff auditing via local policy. The Security Log will now provide additional logon activity details.

Next, navigate to the Windows Event Viewer and open the Security Log. Filter the log, as seen here

Enter the following query into the XML tab

 <Query Id="0" Path="Security">
 <Select Path="Security">*[System[(EventID=4625 or EventID=4776 or EventID=4777 or EventID=4624 or EventID=4634 or EventID=4740 or EventID=4767 or EventID=4768 or EventID=4769 or EventID=4779) and TimeCreated[timediff(@SystemTime) <= 43200000]]] and *[EventData[Data[@Name ='TargetUserName'] ='ACCOUNT_IN_QUESTION']]</Select>

You can remove or expand the time frame by manipulating the TimeCreated[timediff(@SystemTime) <= 43200000] element of the query.

  • Last Hour = 3600000
  • Last 12 Hours = 43200000
  • Last 24 Hours = 86400000
  • Last 7 days = 604800000
Go Up